PowerShell script Archives

Winsage

May 27, 2026

Windows Users Targeted in New Phishing Campaign

Research from FortiGuard Labs has identified a phishing campaign that disguises itself as purchase orders, prompting recipients to open harmful attachments. The campaign begins with a phishing email containing a malicious JavaScript file. When executed, this JavaScript decrypts and runs a PowerShell script that uses process hollowing to inject a .NET downloader module into the trusted Windows process MsBuild.exe. This downloader connects to a remote command and control (C2) server to download and execute additional modules, allowing the attacker to alter the malware's behavior after the initial compromise. The campaign poses significant detection challenges for Windows users due to its use of multiple encryption layers, fileless execution techniques, and process hollowing strategies. Security experts emphasize the need for organizations to enhance their detection capabilities beyond traditional methods, focusing on identifying suspicious activity across various devices and applications. The phishing attack exploits social engineering tactics and blends malicious actions with legitimate administrative tools, complicating detection efforts. Additionally, the human element plays a crucial role in breaches, highlighting the importance of effective communication and collaboration between security teams and other departments to improve security awareness and behavior.

Winsage

May 23, 2026

Windows 11 now lets you remove Microsoft Copilot app with Group Policy or Registry, as it tries to win back users

Recent feedback from Windows 11 users has led Microsoft to simplify the process of uninstalling Copilot due to dissatisfaction with its integration. A Group Policy option titled “Remove Microsoft Copilot app” has been introduced in the April 2026 Update, allowing users to remove Copilot via User Configuration > Administrative Templates > Windows Components > Windows AI. Users can also uninstall Copilot directly from the installed apps list or by right-clicking the icon, although it may reappear after a fresh installation due to certain updates. To uninstall Copilot and Microsoft 365 Copilot using Group Policy, the following conditions must be met: both apps must be installed, the user did not install them independently, and the Copilot app has not been used for over 28 days. This policy is supported on Pro, Enterprise, Education, and IoT Enterprise or LTSC versions of Windows 11. Windows 11 Home users can manually remove Copilot by creating a registry key at HKEYCURRENTUSERSoftwarePoliciesMicrosoftWindowsWindowsAI and setting a DWORD value named RemoveMicrosoftCopilotApp to 1. Alternatively, users can execute a PowerShell script to remove Copilot. Microsoft has not provided an uninstall option for Copilot in the Start menu.

Winsage

May 17, 2026

Microsoft confirms Windows 11 KB5089549 issues due to low storage, says it’s rolling out an emergency patch to fix install errors

Microsoft has acknowledged an issue with the installation of Windows 11’s May 2026 Update (KB5089549), which has been encountering errors such as 0x800f0922, 0x80240069, and 0x80240031. An emergency server-side update is being implemented to resolve these installation hurdles. The KB5089549 update is mandatory and intended to install automatically on compatible PCs, but some users have reported difficulties, including installation stalling around 35-36%, leading to a rollback with a message stating, “something didn’t go as planned. Undoing changes.” Investigations reveal that installation failures are particularly affecting devices with limited EFI partition space, with error code 0x800f0922 indicating insufficient free space and potential conflicts with third-party files. The EFI System Partition (ESP) typically occupies no more than 100MB and can become congested due to leftover files, causing installation failures when available space is low. Users with less than 10MB of free EFI storage may face additional complications. A PowerShell command can be used to check EFI storage status. Microsoft has advised users to consider increasing the size of the ESP by modifying the Windows Registry, although the recent server-side update may have already addressed the issue. The Known Issue Rollback (KIR) has been implemented, automatically propagating the resolution to devices. Users are encouraged to restart their devices to expedite the application of the fix, and there are no additional bugs reported.

Winsage

May 17, 2026

I got tired of hunting through Windows for every setting, so I built my own control center

The utility created simplifies Windows management by consolidating various settings and diagnostics into a single interface. It provides an overview of system metrics such as DNS latency, system uptime, and temporary file accumulation. The application includes dedicated pages for health checks, network insights, services, scheduled tasks, drives, drivers, power plans, gaming toggles, privacy settings, and taskbar configuration. Each diagnostic is executed through PowerShell scripts, with results displayed in a user-friendly format. The utility maintains transparency by creating .reg backups before modifying the registry and allows users to revert changes easily. It is open-source, lightweight, and designed for personal use rather than debloating. The program's structure enables users to inspect and modify scripts, ensuring clarity and control over system adjustments.

Winsage

May 16, 2026

I got tired of hunting through Windows for every setting, so I built my own control center

The utility developed streamlines access to Windows diagnostics and tweaks, consolidating functionalities typically spread across various settings panels into a single interface. It features an overview page with key system metrics and organized sections for health checks, network details, services, scheduled tasks, drives, drivers, power plans, gaming settings, privacy options, and taskbar adjustments. Each diagnostic is executed via PowerShell scripts that output JSON data for display. The application ensures transparency in registry changes by creating .reg backups before modifications and allows users to revert changes easily. It focuses on practical tweaks rather than debloating, maintaining a lightweight design without extensive features. The tool is open source and available on GitHub.

Winsage

May 12, 2026

Hackers Can Hide Malware Inside Images to Hack Windows

Researchers at Cyfirma have identified a cyberattack campaign named Operation SilentCanvas that targets Windows systems using deceptive JPEG files to infiltrate devices. The attack begins with victims receiving a file named sysupdate.jpeg, which contains a PowerShell script instead of an image. This script establishes staging environments and downloads additional malicious components while avoiding detection. The malware reconstructs command strings at runtime and downloads a secondary payload called access.jpeg, executed in memory. It exploits Microsoft's .NET compiler to create a custom launcher named uds.exe on infected machines. The malware takes control of a registry key to create a hidden desktop environment for undetected execution of malicious tools and installs a persistent Windows service, OneDriveServers, to maintain activity after reboots. Additionally, it can intercept usernames and passwords at the Windows login screen and create hidden local administrator accounts for long-term access. Security teams are advised to monitor the execution of commonly abused Windows binaries like csc.exe and ComputerDefaults.exe to mitigate risks.

Winsage

March 11, 2026

How to disable Hyper-V for Windows 11

Microsoft's Hyper-V is a hardware virtualization platform integrated into Windows 11 Professional, Enterprise, and Education editions, allowing users to host multiple virtual machines (VMs) on a single computer. It operates using a type 1 hypervisor directly on hardware, enabling VMs to share resources like CPU, memory, and storage. Hyper-V includes features such as dynamic memory allocation, software-defined networking, and saved checkpoints. IT administrators may need to disable Hyper-V due to compatibility issues with third-party virtualization software, high-precision applications, or driver conflicts. Disabling Hyper-V can also affect security features reliant on it, such as virtualization-based security (VBS) and Device Guard. Methods to disable Hyper-V include: 1. Using the Windows Features dialog. 2. Executing a PowerShell command: Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All, HypervisorPlatform, VirtualMachinePlatform. 3. Running a DISM command:

dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /FeatureName:HypervisorPlatform /FeatureName:VirtualMachinePlatform

. 4. Using the bcdedit command: bcdedit /set hypervisorlaunchtype off. 5. Modifying Group Policy to disable VBS. 6. Editing the Windows Registry to disable VBS or Credential Guard. For multiple managed computers, administrators can create and execute a PowerShell script or use Group Policy Objects to streamline the process. Testing in a controlled environment is recommended to ensure desired outcomes without compromising security or functionality.

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

Winsage

February 28, 2026

Microsoft confirms a wider roll out of Windows 11’s new colourful battery icons on the taskbar

Windows 11 users will see colorful battery icons on the taskbar as Microsoft rolls out updates, including the new Start menu, with the update KB5077241. The vibrant battery icons have been in development for nearly two years, with initial testing starting in late 2024. The rollout began last year but was limited to select PCs. An optional update in February 2026 will further expand the availability of these icons and the updated Start menu. The new battery icon replaces the plain white bar with a green icon when charging, featuring a charging bolt during the process. The icon changes color based on battery levels: it turns orange at 30% and red below 6%. Users can display the battery percentage on the taskbar by enabling it in Settings > System > Power & Battery. Recent improvements to the Windows taskbar include the return of drag-and-drop functionality, the ability to resize the taskbar, and potential options to reposition it. Microsoft is also updating Secure Boot certificates, set to expire in June 2026, and distributing new certificates issued in 2023 to more PCs. A tutorial is available for users to verify the application of these new Secure Boot certificates.

Winsage

February 18, 2026

Attackers steal Windows users’ data using fake CAPTCHA checks

Fraudsters are using counterfeit CAPTCHA confirmation pages to deploy StealC, an information-stealing malware targeting Windows systems. Users are tricked into visiting compromised websites where a fake CAPTCHA prompts them to execute a sequence of keystrokes that runs a malicious PowerShell command. This command connects to a remote server, downloads shellcode, and injects the StealC payload into svchost.exe. Once installed, StealC collects sensitive information such as browser credentials, email data, and cryptocurrency wallet details, facilitating fraud and account hijacking. The malware operates primarily in the system's RAM, making detection difficult.